Bug 2229824

Summary:	[RFE] Allow SSSD to generate subids for LDAP and AD-based users
Product:	Red Hat Enterprise Linux 9	Reporter:	Chance Callahan <ccallaha>
Component:	sssd	Assignee:	Alexey Tikhonov <atikhono>
Status:	NEW ---	QA Contact:	sssd-qe
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	9.2	CC:	aboscatt, atikhono, ipedrosa, pbrezina
Target Milestone:	rc	Keywords:	FutureFeature
Target Release:	---	Flags:	ipedrosa: needinfo? (aboscatt)
Hardware:	All
OS:	Linux
Whiteboard:	sync-to-jira
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	Story
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Chance Callahan 2023-08-07 20:45:06 UTC

1. Proposed title of this feature request

Allow SSSD to generate subids for LDAP and AD-based users.

3. What is the nature and description of the request?

The customer wishes to use rootless Podman with AD users coming in over LDAP. Currently SSSD only supports this with IPA-based users.

4. Why does the customer need this? (List the business requirements here)

The customer needs subid support for use with rootless Podman.

5. How would the customer like to achieve this? (List the functional requirements here)

The same method currently used for IPA-based users by editing the nsswitch.conf and assigning subid management to SSSD.

6. For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

Red Hat can test to confirm with internal tooling.

7. Is there already an existing RFE upstream or in Red Hat Bugzilla?

Not that I can find.

8. Does the customer have any specific timeline dependencies and which release would they like to target (i.e. RHEL8, RHEL9)?

No.

9. Is the sales team involved in this request and do they have any additional input?

No.

10. List any affected packages or components.

* sssd
* podman

11. Would the customer be able to assist in testing this functionality if implemented?

Yes.

Comment 4 Alexey Tikhonov 2023-08-08 11:33:26 UTC

(In reply to Chance Callahan from comment #0)
> 1. Proposed title of this feature request
> 
> Allow SSSD to generate subids for LDAP and AD-based users.
...
> 5. How would the customer like to achieve this? (List the functional
> requirements here)
> 
> The same method currently used for IPA-based users by editing the
> nsswitch.conf and assigning subid management to SSSD.

SSSD does *NOT* generate subid ranges for IPA-based users.

SSSD merely fetches those ranges from IPA server, kind of extended NSS user attribute.

FreeIPA implements an LDAP scheme and means to generate/assign ranges to IPA users: see https://github.com/freeipa/freeipa/blob/master/doc/designs/subordinate-ids.md for details.

It would be possible to implement the same range fetching in 'sssd-ad' (as it's done in 'sssd-ipa').

But the main blocker here is range generation/assignment on AD server, this is totally out of SSSD hands. As far as I know, no standardized solution exists.